Profile Applicability:
Level 2
Description:
Audit configuration files define the auditing rules and policies on the system. Setting file permissions to 640 or more restrictive ensures that only the owner (root) can modify the files and the group can read them, while others have no access. This helps protect the audit configuration from unauthorized modification.
Rationale:
Restricting permissions on audit configuration files maintains the integrity and confidentiality of audit policies, preventing unauthorized changes that could disable or alter auditing.
Impact:
Pros:
Protects audit configurations from unauthorized modifications.
Ensures only privileged users have access to audit rules.
Cons:
Overly restrictive permissions might impact legitimate access by audit services.
Default Value:
Permissions may vary; verification and correction may be required.
Pre-requisites:
Root or sudo privileges to audit and modify file permissions
Remediation:
Test Plan:
Using Linux command line:
Check current permissions of audit configuration files:
ls -l /etc/audit/audit.rules /etc/audit/rules.d/
Verify files have permissions set to 640 or more restrictive (e.g., 600).
Implementation Plan:
Using Linux command line:
Set permissions to 640 for audit configuration files:
chmod 640 /etc/audit/audit.rules chmod -R 640 /etc/audit/rules.d/
Verify changes:
ls -l /etc/audit/audit.rules /etc/audit/rules.d/
Backout Plan:
Using Linux command line:
Restore previous permissions from backups if necessary.
Confirm audit services function correctly after changes.
References:
CIS Amazon Linux 2 Benchmark v3.0.0